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Introduction 


This document demonstrates how to configure an IPSec VPN tunnel between a PIX Firewall and a Cisco VPN 
Client 3.x. The configuration example in this document also highlights the certification authority (CA) 
enrollment procedure for both the Cisco [OS® router and the Cisco VPN Client, as well as the use of a 
Smartcard as a certificate storage. 


Below is the required information for configuring the features that are described in this document. 


Note: To find additional information on the commands used in this document, use the IOS Command Lookup 
tool. A link to this tool can be found in the Tools Information section of this document. 


Components Used 
This document was developed and tested using the software and hardware versions below. 
¢ Cisco PIX Firewall running software version 6.2(1). 
e Cisco VPN Client 3.5.1C on a PC running Windows 2000. 
e A Microsoft Windows 2000 CA server is used in this document as the CA server. 
© Certificates on the Client are stored using Aladdin e—Token Smartcard. 
The information presented in this document was created from devices in a specific lab environment. All of the 


devices used in this document started with a cleared (default) configuration. If you are working in a live 
network, be sure that you understand the potential impact of any command before using it. 
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Network Diagram 


Cisco VPN Client 


Corporate 


Enrolling and Configuring the PIX 


Certificate Enrollment on PIX Firewall 


!--- Define a hostname and domain name for the router. 
!--- The fully qualified domain name (FQDN) will be used 
!--- as the identity of the router during certificate enrollment. 
pix(config)# hostname puppy 
pix (config) # domain-name cisco.com 
!--- Confirm that you have the correct time set on the PIX. 
show clock 
clock set <hh:mm:ss> {<day> <month> | <month> <day>} <year> 
!--- This command clears the PIX RSA keys. 
ca zeroise rsa 
!--- Generate RSA (encryption and authentication) keys. 
ca gen rsa key 
!--- Select the modulus size (512 or 1024). 
!--- You can confirm the keys generated. 
sh ca mypub rsa 
!--- Define the CA identity. 
ident kobe 10.1.1.2:/certsrv/mscep/mscep.d1l1 
conf Kobe ra 1 20 crlopt 
auth Kobe 
enroll Kobe [ipaddress] 
!--- Confirm the certificate and validity. 
sh ca cert 


PIX Firewall Configuration 


PIX Version 6.2(1) 

nameif ethernetO outside security0 
nameif ethernetl inside security100 
enable password 8Ry2YjIyt7RRXU24 encrypted 
passwd 2KFQnbNIdI.2KYOU encrypted 
hostname puppy 

domain-name cisco.com 

fixup protocol ftp 21 

fixup protocol http 80 

fixup protocol h323 h225 1720 

fixup protocol h323 ras 1718-1719 
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fixup protocol ils 389 

fixup protocol rsh 514 

fixup protocol rtsp 554 

fixup protocol smtp 25 

fixup protocol sqlinet 1521 

fixup protocol sip 5060 

fixup protocol skinny 2000 

names 

access-list 120 permit ip 10.1.1.0 255.255.255.0 10.0.0.0 255.255.255.0 
access-list acl_out permit tcp 10.64.10.0 255.255.255.0 eq www any 
pager lines 24 

logging on 

interfac thernetO 10baset 

interfac thernetl 10full 

mtu outside 1500 

mtu inside 1500 

ip address outside 10.64.10.27 255.255.255.224 

ip address inside 10.1.1.1 255.255.255.0 

ip audit info action alarm 

ip audit attack action alarm 

ip local pool vpnpool 10.0.0.10-10.0.0.100 

pdm location 10.1.1.2 255.255.255.255 inside 

pdm location 10.64.10.0 255.255.255.0 outside 

pdm location 64.104.205.0 255.255.255.0 outside 

pdm history enable 

arp timeout 14400 

nat (inside) 0 access-list 120 

static (inside,outside) 10.64.10.2 10.1.1.2 netmask 255.255.255.255 0 O 
access-group acl_out in interface outside 

route outside 0.0.0.0 0.0.0.0 10.64.10.1 1 

timeout xlate 3:00:00 

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h323 0:05:00 sip 
0:30:00 sip_media 0:02:00 

timeout uauth 0:05:00 absolute 

aaa-server TACACS+ protocol tacacs+ 

AAA-server RADIUS protocol radius 

AAA-server LOCAL protocol local 

http server enable 

http 10.1.1.0 255.255.255.0 inside 

no snmp-server location 

no snmp-server contact 

snmp-server community public 

no snmp-server enable traps 

floodguard enable 

sysopt connection permit-—ipsec 

no sysopt route dnat 

crypto ipsec transform-set myset esp-3des esp-md5—-hmac 
crypto ipsec transform-set certset esp-des esp-—md5—hmac 
crypto dynamic-map dynmap 10 set transform-set myset 
crypto map mymap 10 ipsec-isakmp dynamic dynmap 
crypto map mymap interface outside 

isakmp enable outside 

isakmp policy 10 authentication rsa-sig 

isakmp policy 10 encryption 3des 

isakmp policy 10 hash md5 

isakmp policy 10 group 2 

isakmp policy 10 lifetime 86400 

vpngroup vpncert address-—pool vpnpool 

vpngroup vpncert idle-time 1800 

vpngroup vpncert password *****k*k** 

ca identity Kobe 10.1.1.2:/CERTSRV/MSCEP/MSCEP .DLL 
ca configure Kobe ra 1 20 crloptional 

telnet timeout 5 

ssh timeout 5 
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terminal width 80 
Cryptochecksum: 56b426c59dec5e35fd9caabcaNdc5ec7 


: end 


[OK] 
puppy (config) # 


Enrolling Cisco VPN Client Certificates 


Remember to install all the necessary drivers and utilities that come with the Smartcard device on the PC to be 
used with the Cisco VPN Client. 


The following steps demonstrate the procedures used to enroll the Cisco VPN Client for MS certificates. The 
certificate is stored on the e~Token Smartcard store. 


Step-by-Step Instructions 


1. Launch a browser and go to the certificate server page (http://CA Serveraddress/certsrv, in this 
example). 


2. Select Retrieve the CA certificate or certificate revocation list to obtain a root certificate, then 
click Next. 


Microsoft Certificate Services -- kobe 


Welcome 


You use this web site to request a certificate for your web browser, e-mail client, or other secure 
program. Once you acquire a certificate, you will be able to securely identify yourself to other people 
over the web, sign your e-mail messages, encrypt your e-mail messages, and more depending upon 


the type of certificate you request. 


Select a task: 
@ Retrieve the CA certificate or certificate revocation list 


© Request a certificate 
© Check on a pending certificate 


3. Click Install this CA certification path. 
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| Address ] Http://10.64.10,2/certsrvicertcarc.asp x] C@ | i 


Home 


Microsoft Certificate Services 
Retrieve The CA Certificate Or Certificate Revocation List 


Install this CA certification path to allow your computer to trust certificates issued from this 
certification authority. 


It is not necessary to manually install the CA certification path if you request and install a certificate 
from this certification authority, because the CA certification path will be installed for you 
automatically. 


Choose file to download: 
CA Certificate: 


@ DER encoded or © Base 64 encoded 
Download CA certificate 


Download CA certification path 


4. When the Root Certificate Store window appears, click Yes to add the certificate to the Root Store. 


Root Certificate Store xi 


AN Do you want to ADD the following certificate to the Root Store? 


Subject : kobe, ypnarp, cisco, syd, nsw, AU 

Issuer : Self Issued 

Time Yalidity ; Thursday, 7 February 2002 through Saturday, 7 February 2004 
Serial Number : 7F6385F3 654C30B4 438323D4 0D3BC61B 

Thumbprint (shal) ; F0476034 B8D66321 SBBBE36D 9837DBF4 6C752226 
Thumbprint (md5) : 4C216674 45EB22E9 069196B2 0F930403 


Yes | No | 


5. The CA Certificate Installed window displays indicating that the certificate has installed successfully. 


| Address je http://10.64, 10.2/certsrv/certrmpn.asp +] @Go |Link 


Microsoft Cerificate Sermces -- kobe 


CA Certificate Installed 


The CA certificate has been successfully installed. 


6. A certificate is generated for use with the Smartcard. 


7. Select Request a certificate, then click Next. 
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Address [@] hetp://10.64.10.2/certsev/ Z] Oso Urs » 


Microsoft Certificate Services kobe Home 


Welcome 


You use this web site to request a certificate for your web browser, e-mail client, or other secure 
program. Once you acquire a certificate, you will be able to securely identify yourself to other people 
over the web, sign your e-mail messages, encrypt your e-mail messages, and more depending upon 
the type of certificate you request. 


Select a task: 
© Retrieve the CA certificate or certificate revocation list 


@ Request a certificate 
© Check on a pending certificate 


8. In the Choose Request Type window, select Advanced request, then click Next. 


| dddress (4) heep://10.64.10.2icertsevicertrqus.05p a 2] ee || 


Home 


Microsoft Ceriifi 


Choose Request Type 


Please select the type of request you would like to make: 


© User certificate request 


@ Advanced request 


9. Select Submit a certificate request to this CA using a form, then click Next. 
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J Address [@) http://10.64.10,2/certsrv/certrqad, asp ~| eG |Links 


Advanced Certificate Requests 


You can request a certificate for yourself, another user, or a computer using one of the following 
methods. Note that the policy of the certification authority (CA) will determine the certificates that you 
can obtain. 


© Submit a certificate request to this CA using a form. 


c Submit a certificate request using a base64 encoded PKCS #10 file or a renewal request using 
a base64 encoded PKCS #7 file. 


c Request 4 certificate for a smart card on behalf of another user using the Smart Card Enrollment 
Station 


You must have an enroliment agent certificate to submit 2 request for another user 


10. Fill in all the items on the Advanced Certificate Request form. Be sure that the department or 
organizational unit (OU) corresponds to the VPN Client group name, as configured in the PIX 
vpngroup name. Select the correct Certificate Service Provider (CSP) appropriate for your setup. 
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| Address je) http://10.64, 10.2/certsrv/certrqma. asp 7] C60 lI Links 


Microsoft Cerificate Services — kobe 


Advanced Certificate Request 


Identifying Information: 
Name: [platetoken 
E-Mail: | 


Company: [cisco 
Department: [vpncen 
City: [syd 
State: Insw 


Country/Region: [AU 


Intended Purpose: 
[Client Authentication Certificate | 


Key Usage: C Exchange © Signature © Both 
Key Size: [512 teagan (common key sizes: 612 1024 ) 


@ Create new key set 
[~ Set the container name 
C Use existing key set 
I~ Enable strong private key protection 
Tl Mark keys as exportable 


IT” Use local machine store 
You must be an administrator to generate 
@ key in the local machine store. 


Additional Options: 


Hash Algonthm: [SHA >| 


Only used to sign request. 
[~ Save request to a PKCS #10 file 


~ 


Attributes: ¥ 
4 » 
Submit > | 


11. The certificate enrollment invokes the eToken store. Enter the password and click OK. 
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& eTCapt: Select an eToken my xi 


€ eToken AKS ifdh 0 CardO0S/M4 (PRO) 


£50) User Password: = 


ogin to your eT oken to enable using/creating/removing your 
ivate key. 


aS a 


12. Click Install this certificate. 


| Address je) http://10.64.10.2/CERTSRVJcertfnsh.esp >| @S || Links 
Microsoft Cerificate Services -- kobe 
Certificate Issued 


The certificate you requested was issued to you. 


13. The Certificate Installed window appears to confirm successful installation. 


http: //10.64, 10.2)CERTSRV/certrmon. asp 


Microsoft Certificate Service Kobe Home 


Certificate Installed 


Your new certificate has been successfully installed 


14. Use the eToken Application Viewer to view the certificate stored on the Smartcard. 
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£¥ eToken Application Viewer 


Gs Logon (2) Refresh 3€ Delete Profle 


€ eloken 

=| {) Pel-Certiticates 
hanketoke 
) platetoken 


Certificate type: 
Issued To: 
E-Mail: 

Issued By: 
Issue Date: 
Expiry Date: 
Key Type: 


purposes: 


Certificate intended 


1 
CLG Ken 


is Your Key to e 


kobe 

Friday, May 17, 2002 
Saturday, May 17, 2003 
RSA(512Bit) 


Chent Authentcation 


Configuring the Cisco VPN Client to Use the Certificate for 
Connection to the PIX 


The following steps demonstrate the procedures used to configure the Cisco VPN Client to use the certificate 


for PIX connections. 


Step-by-Step Instructions 


1. Launch the VPN Client and click New to create a new connection. 


“ Cisco Systems ¥PN Client 


Cisco Systems 


Connection Entry: 


New... Options ¥ | 


Host name or IP address of remote server: 


Connect | Close | 
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2. Assign a name and an optional description, then click Next. 


New Connection Entry Wizard 


The YPN Client lets you create secure connections to 
remote networks. This wizard helps you create a 
connection entry for connecting to a specific remote 
network. 


Name of the new connection entry: 


[to_puppy 


Description of the new connection entry (optional): 


New Connection Entry Wizard 


The following information identifies the server to which 
you connect for access to the remote network. 


Host name or IP address of the server: 


[10.64.10.27 


< Back Cancel | Help | 


4. Select Certificate and choose the Name stored on the Smartcard, then click Next. 
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New Connection Entry Wizard 


‘Your administrator may have provided you with group 
parameters or a digital certificate to authenticate your 
access to the remote server. If so, select the appropriate 
authentication method and complete your entries . 


© Group Access Information 
Name: 
Password: 
Confirm _ 
Password: 

@ Certificate 
Name: platetoken (Microsoft) 


Validate Certificate... | 
< Back Cancel | Help | 


5. Click Finish to save the configured entry. 


New Connection Entry Wizard 


‘You have successfully created a new virtual private 
networking connection entry named: 


Click Finish to save this entry. 


To connect to the remote network, select the Connect 
button from the main window. 


To modify this connection entry. click Options on the main 
window and select Properties from the menu that appears. 


< Back Cancel | Help | 


6. To start the VPN Client connection to the PIX, select the desired Connection Entry and click 
Connect. 
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# Cisco Systems ¥PN Client 


Cisco Systems 


Connection Entry: 
|to_puppy 7] 


Host name or IP address of remote server: 
10.64.10.27 


Connect | Close | 


Installing eToken Smartcard Drivers 


The following steps demonstrate how to install eToken Smartcard drivers. 


Step-by-Step Instructions 
The following steps demonstrate the installation of the Aladdin eToken Smartcard drivers. 


1. Open the eToken Run time Environment 2.65 setup wizard. 
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e oke Nn Welcome to the eToken Run Time 
Environment 2.65 Setup Wizard 


YOUR KEY TO eSECURITY 


The Setup Wizard will install eToken Run Time Environment 
2,65 on your computer, 
Click Next to continue or Cancel to exit the Setup Wizard. 


2. Accept the License Agreement terms and click Next. 


ie eToken Run Time Environment 2.65 License Agreement 


End-User License Agreement . 
nie ken 
Please read the Following license agreement carefully, @ * = 

=a OUR KEY TO eSECURITY 


ALADDIN KNOWLEDGE SYSTEMS LTD. 
eTOKEN RUNTIME ENVIRONMENT END USER LICENSE AGREEMENT 


IMPORTANT INFORMATION - PLEASE READ THIS AGREEMENT CAREFULLY BEFORE 
OPENING THE PACKAGE AND/OR USING THE CONTENTS THEREOF 4ND/OR BEFORE 
DOWNLOADING OR INSTALLING THE SOFTWARE PROGRAM, ALL ORDERS FOR AND 

USE OF THE ETOKEN ENTERPRISE PRODUCTS (including without limitation, libraries, 
utilities, diskettes, CD_ROM, eToken(r} keys and the Administrator's Guide) 

(hereinafter "Product" SUPPLIED BY ALADDIN KNOWLEDGE SYSTEMS LTD, (or any of 

its affiliates - either of them referred to as "ALADDIN") ARE AND SHALL BE, SUBJECT 

TO THE TERMS 4ND CONDITIONS SET FORTH IN THIS AGREEMENT. BY OPENING THE me 


DACK ACE CORITATRITKIS THE DDANMLICTS ARINIAD RY NOMALOADTRIG THE SOFT WAADE 


© Tdo not accept the terms in the License Agreement 


< Back Cancel | 


3. Click Install. 
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fe eToken Run Time Environment 2.65 Setup 


Ready to Install \ 


TOUR KEY TO eSECURITY 


Please remove any eTokens from the computer. 


| e oke n Completing the eToken Run Time 
Environment 2.65 Setup Wizard 


YOUR KEY TO eSEC UR 


Click the Finish button to exit the Setup Wizard, 


Gancel | 


Verifying the Results 
This section provides information you can use to confirm that your configuration is working properly. 


Certain show commands are supported by the Output Interpreter tool, which allows you to view an analysis of 
show command output. A link to this tool can be found in the Tools Information section of this document. 
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show crypto isakmp sa — Displays all current Internet Key Exchange (IKE) security associations (SAs) at a 
peer. 


puppy (config) # show crypto isa sa 
Total : 1 

Embryonic : 0 

dst src state pending created 
10.64.10.27 10.64.10.3 QM_IDLE 0 2 


show crypto ipsec sa — Displays the settings used by current security associations. 


puppy (config)# show crypto ipsec sa 

interface: outside 

Crypto map tag: mymap, local addr. 10.64.10.27 

local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0) 

remote ident (addr/mask/prot/port): (10.0.0.10/255.255.255.255/0/0) 
current_peer: 10.64.10.3 

dynamic allocated peer ip: 10.0.0.10 

PERMIT, flags={} 

#pkts encaps: 4, #pkts encrypt: 4, #pkts digest 4 

#pkts decaps: 7, #pkts decrypt: 7, #pkts verify 7 

#pkts compressed: 0, #pkts decompressed: 0 

#pkts not compressed: 0, #pkts compr. failed: 0, #pkts decompress failed: 0 
#send errors 0, #recv errors 0 

local crypto endpt.: 10.64.10.27, remote crypto endpt.: 10.64.10.3 
path mtu 1500, ipsec overhead 56, media mtu 1500 

current outbound spi: 1904588b 

inbound esp sas: 

spi: 0x9a64505e (2590265438) 

transform: esp-3des esp-md5-hmac , 

in use settings ={Tunnel, } 

slot: 0, conn id: 4, crypto map: mymap 

sa timing: remaining key lifetime (k/sec): (4607999/28456) 

IV size: 8 bytes 

replay detection support: Y 

inbound ah sas: 

inbound pcp sas: 

outbound ESP sas: 

spi: 0x1904588b (419715211) 

transform: esp-3des esp-md5-hmac , 

in use settings ={Tunnel, } 

slot: 0, conn id: 3, crypto map: mymap 

sa timing: remaining key lifetime (k/sec): (4607999/28456) 

IV size: 8 bytes 

replay detection support: Y 

outbound ah sas: 

outbound PCP sas: 

local ident (addr/mask/prot/port): (10.64.10.27/255.255.255.255/0/0) 
remote ident (addr/mask/prot/port): (10.0.0.10/255.255.255.255/0/0) 
current_peer: 10.64.10.3 

dynamic allocated peer ip: 10.0.0.10 

PERMIT, flags={} 

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0 

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0 

#pkts compressed: 0, #pkts decompressed: 0 

#pkts not compressed: 0, #pkts compr. Failed: 0, #pkts decompress failed: 0 
#send errors 0, #recv errors 0 

local crypto endpt.: 10.64.10.27, remote crypto endpt.: 10.64.10.3 
path mtu 1500, ipsec overhead 56, media mtu 1500 

current outbound spi: dO0c04f7c 

inbound ESP sas: 

spi: 0x7b4e61le (129295902) 

transform: esp-3des esp-md5-hmac , 
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in use settings ={Tunnel, } 

slot: 0, conn id: 2, crypto map: mymap 

sa timing: remaining key lifetime (k/sec): (4608000/27229) 
IV size: 8 bytes 

replay detection support: Y 

inbound ah sas: 

inbound PCP sas: 

outbound ESP sas: 

spi: O0xd0c04f7c (3502264188) 

transform: esp-3des esp-md5-hmac , 

in use settings ={Tunnel, } 

slot: 0, conn id: 1, crypto map: mymap 

sa timing: remaining key lifetime (k/sec): (4608000/27229) 
IV size: 8 bytes 

replay detection support: Y 

outbound ah sas: 

outbound PCP sas: 


Tools Information 


For additional resources, refer to Cisco TAC Tools for VPN Technologies and TAC Tools for Security 
Technologies 


Related Information 


e Top Issues for PIX and VPN 

¢ Documentation for PIX Firewall 

¢ More Technical Tips for PIX Firewall and IP Security (IPSec) 
e PIX Command Reference 

e Security Product Field Notices (including PIX) 

e Support Pages for PIX and IP Security (IPSec) 
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